Recently our team was tasked to implement MySQL 8.0 in production
for a client. While MySQL 8.0 is looking very promising and has a
lot of cool new features and revamped old features, it’s still
pretty young. The MySQL development team is working very hard on
stabilizing the product but, reading the latest release notes for version 8.0.12, it is
still very much a bugfix release and not something you will want
to put in production immediately. Also, given the fact that a lot
of tools such as Percona
Xtrabackup do not support MySQL 8.0 yet, we were a bit
reluctant to proceed with this idea. But … the client had a
strong use case to make use of roles and resource groups and we
like challenges so we decided to give it a go.

Earlier this year, I was presented with the challenge of
streamlining user access to MySQL, allowing users self-serve
access using their LDAP credentials, while logging all access. Of
course, various MySQL forks allow for user auditing, but the
solution is also needed to eventually support other data storage
systems without native user auditing. This gave me the
opportunity to do a trial integration of MySQL, Vault, ProxySQL,
and LDAP; Vault would be used to dynamically create user
accounts, and ProxySQL would be used to limit access and log
activity. To evaluate the functionality and configuration of the
integration, I used Docker to set up a test environment.

In the quest to secure MySQL as well as ease the number of
complicated passwords to remember, many organizations are looking
into external authentication, especially using LDAP. For free and
open source, Percona’s PAM authentication plugin is the
standard option.

In this blog, we’ll look at how to setup and
troubleshoot the Percona PAM authentication plugin.

We occasionally get requests from our support clients on how to
get Percona Server for MySQL to authenticate with an external
authentication service via LDAP or Active Directory. However, we
normally do not have access to client’s infrastructure to help
troubleshoot these cases. To help them effectively, we need to
setup a testbed to reproduce their issues and guide them on
how to get authentication to work. Fortunately, we only need to
install Samba to provide an external authentication service for
both LDAP and AD.

In this article, I will show you how to (a) compile and install
Samba, (b) create a domain environment with Samba, (c) add users
and groups to this domain and (d) get Percona Server …

We manage hundreds of servers and have a need to add and remove
DBAs, application developers, and so on regularly. Doing this
manually is just beyond the scope of what we can realistically
manage. Since we are already using LDAP, we wanted to find a way
to integrate it with MySQL.

After reading many, many articles and getting diverse opinions as
to whether or not it was even possible, we decided to give it a
try. From what we read, it appears that MySQL Enterprise edition
does exactly what we want; unfortunately, we don’t have an
Enterprise support contract ruling that out as an option. Knowing
that Percona tends to mimic many of the Enterprise features, we
decided to pursue doing this with Percona Server. Further reading
showed this could be possible with the PAM plugin which would
then authenticate via LDAP. A little indirect, but seemed like
our only solution.

This is getting more and more common, so I wanted to provide the
steps required to get LDAP authentication working with MariaDB
PAM plugin.

Unless you’re already familiar with setting up the MariaDB PAM
plugin, I’d first recommend getting this to work with a standard
Linux user (steps 1-4), then once all is working fine, progress
to the LDAP users (steps 5-10). (And if you do not want to test
this for the Linux user account, then you may skip steps #2 and
#3.)

Enable plugin by running the following from the command line
client:

INSTALL SONAME 'auth_pam';

You should see an entry like this afterward in SHOW PLUGINS:

| pam | ACTIVE | AUTHENTICATION | auth_pam.so | GPL |

Create the mysql user account (note it does not have a
password, as it will obtain this from your Linux user, and
eventually the LDAP account) and provide it with the GRANTS you
want it to …

The Severalnines team is pleased to announce the release of
ClusterControl 1.2.8. This release contains key
new features along with performance improvements and bug fixes.
We have outlined some of the key new features below.

ClusterControl 1.2.6 introduces integration
with Active Directory and LDAP authentication. This allows users
to log into ClusterControl by using their corporate credentials
instead of a separate password. LDAP groups can be mapped onto
ClusterControl user groups to apply roles to the entire group, so
it is very convenient for larger organizations who have a
centralized LDAP-compliant authentication system. This blog shows
you how to configure LDAP authentication in ClusterControl, and
allow users to use their Active Directory or LDAP username and
password to log in to ClusterControl.

LDAP authentication can be configured from ClusterControl, in the
Admin dashboard (ClusterControl > Admin > LDAP
Settings). If you are running ClusterControl v1.2.5 or
older, please …

Join our upcoming webinar New Features Webinar on
ClusterControl 1.2.6 - May 13th 2014 with live
demo. Click on following banner to register:

The Severalnines team is pleased to announce the release of
ClusterControl 1.2.6. This release contains key new features
along with performance improvements and bug fixes. We have
outlined some of the key features below.

Insted of writing (and having to deply) your own client plugin
you probably can reuse the cleartext client side plugin,
specially because it’s available in a number of mysql clients
already. Check sql-common/client.c on MySQL 5.5+ for details.

This is very useful because you only need to put the plugin in
server side, and in the client side you only need to check if the
clear password plugin is enabled.

Now, I present the updated code with the only server side plugin,
and I reused the cleartext client side plugin from MySql, it’s
more short and very focused in LDAP authentication:

Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.